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Abstract. With the increasing popularity of the cloud, clients oursource 
their data to clouds in order to take advantage of unlimited virtualized 
storage space and the low management cost. Such trend prompts the 
privately oursourcing computation, called multiparty cloud computation 
(MCC): Given k clients storing their data in the cloud, how can they per- 
form the joint functionality by contributing their private data as inputs, 
and making use of cloud's powerful computation capability. Namely, the 
clients wish to oursource computation to the cloud together with their 
private data stored in the cloud, which naturally happens when the com- 
putation is involved with large datasets, e.g., to analyze malicious URLs. 
We note that the MCC problem is different from widely considered con- 
cepts, e.g., secure multiparty computation and multiparty computation 
with server aid. 

To address this problem, we introduce the notion of homomorphic thresh- 
old proxy re- encryption schemes, which are encryption schemes that en- 
joy three promising properties: proxy re-encryption - transforming en- 
crypted data of one user to encrypted data of target user, threshold 
decryption - decrypting encrypted data by combining secret key shares 
obtained by a set of users, and homomorphic computation - evaluat- 
ing functions on the encrypted data. To demonstrate the feasibility of 
the proposed approach, we present an encryption scheme which allows 
anyone to compute arbitrary many additions and at most one multipli- 
cations. 



1 Introduction 

The concept of cloud computing has been widely accepted by individuals and 
enterprises. It is getting more and more popular because ideally it can provide 
unlimited computation capability and storage space by virtualizing vast physical 
computer resources and integrating them together. Due to these advantages as 
well as the low management cost, individuals and enterprises have been taking 
actions to outsource to clouds their data and hopefully outsource computation, 
which is still a challenging task which yet has not been well resolved in the 
literature. 

In the present paper, we consider the problem that clients (individuals or 
enterprises) wish to oursource computation to the cloud together with their 



private data stored in the cloud. More specifically, we consider the problem 
formulated as follows: 

Multiparity Cloud Computation(MCC) Consider that k clients, pi, ■ ■ ■ ,pk, 
store their data x± , • • • , Xk in clouds in an encrypted form, they wish to cooperate 
together in order to efficiently and securely compute the function f(x±, • • • , Xk) 
by utilizing the computation capability of clouds. 

Here the terms of "efficiently" and "securely" pose some intuitive requirements 
towards solving MCC problem: 

1. The communication overhead between the clients and the cloud should be 
minimized for the purpose of efficiency. It will rule out some trivial solu- 
tions where the clients download their data from the cloud, decrypt them 
to obtain the original data, and then adopt secure multiparty computation 
protocols with cloud aid. Since downloading data from cloud will pose heavy 
communication overhead, it dispels the benefit of the cloud. In addition, the 
evaluation of functionalities should be performed in the cloud in order to 
take advantage of cloud computation capability. 

2. The data privacy should be preserved for the purpose of security, which has 
three fold: (i) The data stored in the cloud should be kept privacy, namely the 
data should be encrypted before outsourced to the cloud, (ii) The evaluation 
result should be kept private from the cloud, (iii) each client can not learn 
anything other the result of the evaluation / and the information revealed 
by that. 

While MCC problem is quite similar to multiparty computation (MPC) prob- 
lem [5] at first glance, indeed it is different from that. As in the multiparty 
computation problem, the inputs of the evaluation reside at the client side. 
Moreover, the evaluation will be performed by the clients themselves, rather 
than by the cloud in the case of MCC. Those two distinctions make the MCC 
more difficult than MPC because of the efficiency demand and the privacy issue 
stated as above. More information about MPC can be referred to [7]. 

Another related problem is secure multiparty computation with server aid, 
which was recently introduced in [5]. The secure multiparty computation with 
server aid can be regarded as a bridge between the gap MCC and MPC because 
the inputs of the evaluation are still stored locally similar to MPC but the 
evaluation will be performed in the cloud analogous to MCC. 

Applications Among many others, here we present two applications about 
multiparty cloud computation. 

1. Malicious URLs Detection: In order to automatically detect malicious URLs, 
the researcher may propose a complicated model which involved many fea- 
tures distilled from large dataset, e.g. malicious URL samples and web page 
pointed by the URLs. To make the model more accurate, the detection model 
should be trained with a mass of data from many anti- virus companies. How- 
ever, these companies store the data in the cloud for the sake of economy 



and are unwilling to share the data directly to the researchers. Therefore, the 
researcher has to outsource the evaluation (detection model) to the cloud, 
so that the cloud could perform the evaluation by taking as inputs the data 
from companies. 

2. Healthcare Information Query: Healthcare service providers (hospitals) main- 
tain their patient records and now would outsource these databases to the 
cloud. They may encrypt the database in order to preserve patient privacy 
in order to comply with some regulations. Some research group tries to es- 
timate the trend of certain disease by analyzing the symptoms from a large 
number of patients. The hospitals are reluctant to share their databases with 
the research group, but only allow the group to perform evaluation on top of 
their data. Hence, the research group has to describe their estimation model 
and let the cloud perform the model instead. 

2 Model Formulation 

System Model We consider three types of entities in our model: a third party, 
a service provider providing service in the cloud, and many clients making use 
of cloud service. Typically, the service provider may not be the cloud vendor, 
although we refer them as the cloud in short here. The third party is indepen- 
dent from the clients and the cloud, and responsible for key management when 
considering the cryptographic primitives. 

The clients not only outsource their data to the cloud, but also outsource 
the computation functions, which can be any models to analyze or estimate the 
data. The cloud hosts the data owned by clients in a isolated manner - individual 
clients' data are separated from each other, and the cloud provides certain level of 
reliability, e.g., satisfying some SLA agreed with clients. The cloud will evaluate 
the functions for the client and eventually the clients learn the result but the 
cloud does not learn anything from that. We further assume there exists a secure 
and authenticated communication channel between any two entities. 

Adversarial Model The security threat originates from the misbehavior of 
the clients and the cloud. We consider a computationally bounded adversary 
model - semi-honest but curious model, which specifies the behaviors of the 
clients and the cloud. Specifically: 

1. The clients and the cloud execute the protocol's specification exactly; 

2. The cloud provides reliable storage service, namely it does not modify or 
destroy the stored data; 

3. The inputs of the function are provided appropriately. Some techniques, e.g 
keyword search, can be adopted to facilitate the cloud to prepare dataset for 
the function. 

4. The cloud is curious and makes great effort to infer something from the 
execution; 

5. While the client may be reluctant to leak any information related to its own 
data stored in the cloud, it is desire to learn information from other clicnts's 
dataset. 



We also emphasize that the third party is fully trusted. The trusted third 
party will be responsible for issuing keys, and managing key distribution as 
needed. 

3 Homomorphic Threshold Proxy Re-Encryption Scheme 

In order to preserve privacy, the clients will encrypt their data when they out- 
source it to the cloud. However, the encrypted form of data greatly impedes the 
utilization due to its randomness. Many efforts have been done for the purpose of 
data usage but without undermining the data privacy. Homomorphic encryption 
has been one of critical techniques to achieve this objective and can be found 
in volumes of research work |3I4I6I1I2| . However, simply adopting the homomor- 
phic encryption does not work in MCC because of the fact that homomorphic 
encryption scheme only could perform homomorphism evaluation in the case of 
ciphertexts under the same public/private keys. In MCC the inputs of the func- 
tions are from multiple clients with their own public/private key, which prohibits 
adopting homomorphic encryption schemes directly. Hence, this inspires us to 
introduce the proxy re-encryption capability into the homomorphic encryption 
schemes. 

In practice, we propose the homomorphic threshold proxy re- encryption schemes 
with desirable properties: 

— Homomorphism: Given two ciphertexts c\ and ci on plaintexts m\ and m-i 
respectively, one can obtain the ciphertext on the plaintext m\ + 7772 and/or 
mi • ?7Z2 by evaluating c\ and C2 without decrypting ciphertexts. 

— Proxy re-encryption: Given a proxy re-encryption key, the proxy can trans- 
form a ciphertext of one user to a ciphertext of the target user. 

— Threshold decryption: By dividing the private key into several pieces of secret 
shares, all clients can work together to decrypt the ciphertext - the output 
of the function. 

3.1 Scheme Definition 

Definition 1. (homomorphic threshold proxy re- encryption) A homomorphic 
threshold proxy re-encryption scheme, denoted by A, consists of the polynomial- 
time algorithms as follows: 

Setup(I^): Given security parameter 1 , this algorithm outputs the global pa- 
rameter pa ram, which includes the specification of message space, plaintext 
space, and ciphertext space. We assume that param is implicitly included as 
input in the following algorithms. 

Keygen: This algorithm generates a public/private key pair (pk.;, SKj) for client 
i. 

ThresholdKeygen(/c): Here k is the expected number of secret shares. This 
algorithm generates a pair of public/private key, and divides the private key 
into k shares, with which k clients together can decrypt a ciphertext encrypted 



with the corresponding public key. We denote the public/private keys denoted 

as (spk,SSk), where SSK = {sSKi,-- - ,SSK fc }. We name (spk, SSk) will be 

the target public/private key. 
PrOXyKeygen(sKj, spk): This algorithm allows client i to generate pa roxy 

re-encryption key RK^ by taking as inputs its private key SK^ and the target 

public key SPK, such that the proxy can re-encrypt a ciphertext under PKj to 

a ciphertext under SPK. 
Enc(A/, pk, ): Given the message M and public key PKi, this algorithm encrypts 

M and outputs ciphertext C . 
PrOXyEnc(C, RKi): Given ciphertext C under public key PKi and a re-encryption 

key KKi, this algorithm will output ciphertext C under public key SPK via 

re-encrypting C . 

HomoEval({C(, . . . , C' k }, SPK, /): Given a set of ciphertext C[, . . . , C' k under 
the public key SPK, corresponding to the messages m\, . . . , m k , this algorithm 
generates ciphertext CL, such that C' h = ENC(/(mi, . . . , TOfc), spk). 

Decrypt (C, SK,): Given ciphertext C under public key PKi, this algorithm de- 
crypts the message m from C with private key SK^ . 

ThresholdDec(C,' 1 , SSK = {sSKi, . . . , SSK fc }): Given ciphertext C' h under pub- 
lic key SPK, this algorithm decrypts the message m from C' h with the coop- 
eration of k clients holding secret share SSKi, 1 < i < k, respectively. 

3.2 MCC Protocol 

With the the homomorphic threshold proxy re-encryption scheme A defined as 
above, we can construct protocol to solve MCC problem. Let {(Pi, Mi), . . . , (P k , M k )} 
be the set of pairs of clients and its own data involved in the MCC problem. 
Note that Mj will be outsourced to the cloud in an encrypted form. Note that 
we assume all clients and the trusted third party share the common parameter 
generated by A. Setup. 
Setup Phase: 

— The trusted third party invokes A. Setup and initializes the public parameter 
of A, which will be shared by all clients. 

— Client i invokes AKeygen and generates public/private key pair (PKj, SKj) 

— Client i encrypts its data Mi with the public key PKi, obtains Cj, and then 
outsources Cj to the cloud. 

Preparation Phase: 

— The trusted third party invokes AThresholdKeygen and obtains a pair 
of public/private key (spk, {SSKi, ••• ,SSKfc}). It publishes the public key 
SPK and distributes the share of private key sski to the client i through a 
secure channel, assuming there has k clients contributing their data. 

— Client i(l < i < k) invokes AProxyKeygen by taking as inputs SK, and 
SPK, and generates a proxy re- key RK^. Then client i sends RK^ to the cloud. 

— The cloud invokes AProxyEnc by taking as inputs ciphertext Cj and RK; 
(1 < i < k). The ciphertext output by AProxyEnc is denoted by C[. 



Evaluation Phase: 



— The cloud invokes AHomoEval by evaluating function / with the inputs 
C[, ■ ■ ■ ,C' k and outputs a result output. 

Decryption Phase: 

— k clients invoke AThresholdDec with their owned secret shares of pri- 
vate key SSKi, ■ • • , SSK fc and output, so that they will obtain the result of 
/(Mi,- - ,M k ). 



3.3 A Homomorphic Threshold Proxy Re-encryption scheme 

To demonstrate the feasibility of the proposed encryption scheme, we present 
a such scheme, which allows the cloud to compute arbitrarily many multiplica- 
tions with the ciphertexts under the target public/private keys. 

— Setup(1/,): Let p be a £ — bit prime, and let G,Gt be two cyclic groups of 
order p. Let e be a bilinear group, e : G x G — > Gt- Let g be the generator 
randomly selected from the group G, and Z = e(g,g). The message space is 
Gt- 

— KEYGEN(i): Client i selects aj from Z* uniformly at random so that its 
public key will be PK; = g ai and the private key SK,; = a%. 

— ThresholdKeygen: The trusted third party selects a from Z* uniformly 
at random. Let SPK = g a ° and SSK = {SSKi, • • • , SSK^}, which is generated as 
follows: let s(x) = X) -=o ^>iX % , where 60 = 1/cto and < i < k) are selected 
from {1, ■ ■ • ,p — 1} uniformly at random, let SSKi = (i, s(i)). Without loss 
of generality, we assume k > 2. 

— ProxyKeygen^, SPK): Given clienti's private key SK 4 = 04 and the target 
public key SPK = g a ° published by the third party, client i generates the 
proxy re-key RK^ = SPK 1 /" 1 . 

— Enc: Given message M, £ Gt, client i selects 7"j from Z* uniformly at 
random and generates ciphertcxt Dj = (Cn^Ca) as: 

C il =PK r i i , C i2 = Z ri Mi 

— ProxyEnc: Given the ciphertext (Cn,Ci 2 ) under the public key pk^ and 
a re-encryption key RK^ = SPK 1 /" 1 , the proxy transforms the ciphertext to 
(C^Cy by: 

C' a = e(C a , rk,) = e(C a , spk 1 /"* ), C' i2 = C l2 

— HomoEval((C7( 1 , C{ 2 ), {C' 21 ,C 22 ), SPK): Given two ciphertext (C' n ,C' 12 ), (C 21 ,C 22 ) 
corresponding to the messages Mi , M 2 respectively, the ciphertext of the 
multiplication of Mi • M 2 is (C[, C 2 ), where 



s~ll s~ll fit fit fit fit 

°1 — °11 ' °2lJ 2 — °12 ' °2 



Decrypt: Given the ciphertext (Cn, C^) under the public key PK^, client i 
decrypts it as follows: 

Mi = C i2 /e(C ll ,ff 1/Ql ) = Z r 'M/Z r ' 

ThresholdDec: Given the ciphertext (C(, C' 2 ) under the target public key 
SPK, the decryption can be done with the cooperations of k clients: 
for client i, it computes 

w t =C'f\ 

and sends Wi to all other clients, and then each client decrypts the ciphertext 
as 



M = C 2 /l[{ 

where 



k 



k= n — 

T=i ] - 1 



4 Conclusion 

Wc initialize the study of multiparty cloud computing, where the cloud provides 
both storage service and computation service. The main goal is to enable many 
clients, by leveraging the cloud capability, to perform outsourced computation 
function in a secure and private manner. We propose the notion of homomorphic 
threshold proxy re-encryption scheme. Our ongoing work includes the construc- 
tion of a fully (or somewhat) homomorphic threshold proxy re-encryption scheme 
and its security analysis. 
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